xref: /PHP-8.2/.github/scripts/setup-slapd.sh (revision ef6bbaa1) 
1#!/bin/sh
2set -e
3
4# Create TLS certificate
5sudo mkdir -p /etc/ldap/ssl
6
7alt_names() {
8  (
9      (
10        (hostname && hostname -a && hostname -A && hostname -f) |
11        xargs -n 1 |
12        sort -u |
13        sed -e 's/\(\S\+\)/DNS:\1/g'
14      ) && (
15        (hostname -i && hostname -I && echo "127.0.0.1 ::1") |
16        xargs -n 1 |
17        sort -u |
18        sed -e 's/\(\S\+\)/IP:\1/g'
19      )
20  ) | paste -d, -s
21}
22
23sudo openssl req -newkey rsa:4096 -x509 -nodes -days 3650 \
24  -out /etc/ldap/ssl/server.crt -keyout /etc/ldap/ssl/server.key \
25  -subj "/C=US/ST=Arizona/L=Localhost/O=localhost/CN=localhost" \
26  -addext "subjectAltName = `alt_names`"
27
28sudo chown -R openldap:openldap /etc/ldap/ssl
29
30# Display the TLS certificate (should be world readable)
31openssl x509 -noout -text -in /etc/ldap/ssl/server.crt
32
33# Point to the certificate generated
34if ! grep -q 'TLS_CACERT \/etc\/ldap\/ssl\/server.crt' /etc/ldap/ldap.conf; then
35  sudo sed -e 's|^\s*TLS_CACERT|# TLS_CACERT|' -i /etc/ldap/ldap.conf
36  echo 'TLS_CACERT /etc/ldap/ssl/server.crt' | sudo tee -a /etc/ldap/ldap.conf
37fi
38
39# Configure LDAP protocols to serve.
40sudo sed -e 's|^\s*SLAPD_SERVICES\s*=.*$|SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"|' -i /etc/default/slapd
41
42# Configure LDAP database.
43DBDN=`sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(&(olcRootDN=*)(olcSuffix=*))' dn | grep -i '^dn:' | sed -e 's/^dn:\s*//'`;
44
45if test -f "/etc/ldap/schema/ppolicy.ldif"; then
46  sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
47fi
48
49sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// << EOF
50dn: $DBDN
51changetype: modify
52replace: olcSuffix
53olcSuffix: dc=my-domain,dc=com
54-
55replace: olcRootDN
56olcRootDN: cn=Manager,dc=my-domain,dc=com
57-
58replace: olcRootPW
59olcRootPW: secret
60
61dn: cn=config
62changetype: modify
63add: olcTLSCACertificateFile
64olcTLSCACertificateFile: /etc/ldap/ssl/server.crt
65-
66add: olcTLSCertificateFile
67olcTLSCertificateFile: /etc/ldap/ssl/server.crt
68-
69add: olcTLSCertificateKeyFile
70olcTLSCertificateKeyFile: /etc/ldap/ssl/server.key
71-
72add: olcTLSVerifyClient
73olcTLSVerifyClient: never
74-
75add: olcAuthzRegexp
76olcAuthzRegexp: uid=usera,cn=digest-md5,cn=auth cn=usera,dc=my-domain,dc=com
77-
78replace: olcLogLevel
79olcLogLevel: -1
80
81dn: cn=module{0},cn=config
82changetype: modify
83add: olcModuleLoad
84olcModuleLoad: sssvlv
85-
86add: olcModuleLoad
87olcModuleLoad: ppolicy
88-
89add: olcModuleLoad
90olcModuleLoad: dds
91EOF
92
93sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// << EOF
94dn: olcOverlay=sssvlv,$DBDN
95objectClass: olcOverlayConfig
96objectClass: olcSssVlvConfig
97olcOverlay: sssvlv
98olcSssVlvMax: 10
99olcSssVlvMaxKeys: 5
100
101dn: olcOverlay=ppolicy,$DBDN
102objectClass: olcOverlayConfig
103objectClass: olcPPolicyConfig
104olcOverlay: ppolicy
105### This would clutter our DIT and make tests to fail, while ppolicy does not
106### seem to work as we expect (it does not seem to provide expected controls)
107## olcPPolicyDefault: cn=default,ou=pwpolicies,dc=my-domain,dc=com
108## olcPPolicyHashCleartext: FALSE
109## olcPPolicyUseLockout: TRUE
110
111dn: olcOverlay=dds,$DBDN
112objectClass: olcOverlayConfig
113objectClass: olcDdsConfig
114olcOverlay: dds
115EOF
116
117sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// << EOF
118dn: $DBDN
119changetype: modify
120add: olcDbIndex
121olcDbIndex: entryExpireTimestamp eq
122EOF
123
124ldapadd -H ldapi:/// -D cn=Manager,dc=my-domain,dc=com -w secret <<EOF
125dn: dc=my-domain,dc=com
126objectClass: top
127objectClass: organization
128objectClass: dcObject
129dc: my-domain
130o: php ldap tests
131
132### This would clutter our DIT and make tests to fail, while ppolicy does not
133### seem to work as we expect (it does not seem to provide expected controls)
134## dn: ou=pwpolicies,dc=my-domain,dc=com
135## objectClass: top
136## objectClass: organizationalUnit
137## ou: pwpolicies
138##
139## dn: cn=default,ou=pwpolicies,dc=my-domain,dc=com
140## objectClass: top
141## objectClass: person
142## objectClass: pwdPolicy
143## cn: default
144## sn: default
145## pwdAttribute: userPassword
146## pwdMaxAge: 2592000
147## pwdExpireWarning: 3600
148## #pwdInHistory: 0
149## pwdCheckQuality: 0
150## pwdMaxFailure: 5
151## pwdLockout: TRUE
152## #pwdLockoutDuration: 0
153## #pwdGraceAuthNLimit: 0
154## #pwdFailureCountInterval: 0
155## pwdMustChange: FALSE
156## pwdMinLength: 3
157## pwdAllowUserChange: TRUE
158## pwdSafeModify: FALSE
159EOF
160
161sudo service slapd restart
162
163# Verify TLS connection
164tries=0
165while : ; do
166	ldapsearch -d 255 -H ldaps://localhost -D cn=Manager,dc=my-domain,dc=com -w secret -s base -b dc=my-domain,dc=com 'objectclass=*'
167	rt=$?
168	if [ $rt -eq 0 ]; then
169		echo "OK"
170		exit 0
171	else
172		tries=$((tries+1))
173		if [ $((tries)) -gt 3 ]; then
174			echo "exit failure $rt"
175			exit $rt
176		else
177			echo "trying again"
178			sleep 3
179		fi
180	fi
181done
182